Document how to delete signature using ORAS CLI

Question

Document how to delete signature using ORAS CLI

priteshbandi opened this issue a year ago · comments

Until notation supports delete signature functionality, we should add documentation on how user can delete signature using ORAS CLI.

Yi Zha · Answer 1 · Tue May 23 2023 19:22:58 GMT+0800 (China Standard Time)

Here are the steps to delete signatures.

Pre-condition:

Sign a container image successfully

Steps:

Find out the digest for signature manifest. You can use notation ls, notation inspect or oras discover to find out the digest of signature manifest. For example:

$ notation ls localhost:5001/net-monitor:v1
Warning: Always list the artifact using digest(@sha256:...) rather than a tag(:v1) because resolved digest may not point to the same signed artifact, as tags are mutable.
localhost:5001/net-monitor@sha256:8456f085dd609fd12cdebc5f80b6f33f25f670a7a9a03c8fa750b8aee0c4d657
└── application/vnd.cncf.notary.signature
    └── sha256:f93516b350979e23a4030254b9c0cdfc75f0ae1555b66b20fe6327699259312f

The digest of signature manifest in above example is sha256:f93516b350979e23a4030254b9c0cdfc75f0ae1555b66b20fe6327699259312f

Use oras manifest delete <reference> to delete the signature manifest, for example

$ oras manifest delete localhost:5001/net-monitor@sha256:f93516b350979e23a4030254b9c0cdfc75f0ae1555b66b20fe6327699259312f
Are you sure you want to delete the manifest "sha256:f93516b350979e23a4030254b9c0cdfc75f0ae1555b66b20fe6327699259312f" and all tags associated with it? [y/N] y
Deleted localhost:5001/net-monitor@sha256:f93516b350979e23a4030254b9c0cdfc75f0ae1555b66b20fe6327699259312f

Pritesh Bandi · Answer 2 · Tue May 23 2023 23:42:57 GMT+0800 (China Standard Time)

Thanks Yi.
Lets add this to notaryproject.dev. Also, is thus an example for signatures generated using oci 1.0 or oci 1.1, we should add example for both ?

Feynman Zhou · Answer 3 · Thu May 25 2023 21:00:45 GMT+0800 (China Standard Time)

Thanks Yi. Lets add this to notaryproject.dev. Also, is thus an example for signatures generated using oci 1.0 or oci 1.1, we should add example for both ?

@priteshbandi Instead of adding this part to the Notation Quick Start, I would suggest creating a separate guide to tell users how to delete signature using ORAS CLI under https://notaryproject.dev/docs/how-to/ before notation delete is available.

We should keep the Quick Start guide as short as possible and avoid introducing many 3P tools to this Quick Start.

@zr-msft Could you pls also provide your suggestions? Thanks

Zach Rhoads · Answer 4 · Thu Jun 01 2023 04:27:21 GMT+0800 (China Standard Time)

@FeynmanZhou you're right, i completely agree on the approach.

I'll assign the issue to myself and get a PR together

Zach Rhoads · Answer 5 · Thu Jun 01 2023 05:07:36 GMT+0800 (China Standard Time)

@FeynmanZhou @yizha1 see PR with minimum viable doc. This didn't seem like it needed a lot of additional context, but happy to add more if you think it's needed